Provable Security of (Tweakable) Block Ciphers Based on Substitution-Permutation Networks∗

Benoît Cogliati1, Yevgeniy Dodis2, Jonathan Katz3, Jooyoung Lee4, John Steinberger5, Aishwarya Thiruvengadam6, and Zhe Zhang7

1 University of Luxembourg, Luxembourg, [email protected] 2 New York University, USA, [email protected] 3 University of Maryland, USA, [email protected] 4 KAIST, Korea, [email protected] 5 [email protected] 6 University of California, Santa Barbara, [email protected] 7 Tsinghua University, Beijing, [email protected]

Abstract. Substitution-Permutation Networks (SPNs) refer to a family of constructions which build a wn-bit block cipher from n-bit public permutations (often called S-boxes), which alternate keyless and “local” substitution steps utilizing such S-boxes, with keyed and “global” permu- tation steps which are non-cryptographic. Many widely deployed block ciphers are constructed based on the SPNs, but there are essentially no provable-security results about SPNs. In this work, we initiate a comprehensive study of the provable security of SPNs as (possibly tweakable) wn-bit block ciphers, when the underlying n-bit permutation is modeled as a public random permutation. When the permutation step is linear (which is the case for most existing designs), we show that 3 SPN rounds are necessary and sufficient for security. On the other hand, even 1-round SPNs can be secure when non-linearity is allowed. Moreover, 2-round non-linear SPNs can achieve “beyond- birthday” (up to 22n/3 adversarial queries) security, and, as the number of non-linear rounds increases, our bounds are meaningful for the number of queries approaching 2n. Finally, our non-linear SPNs can be made tweakable by incorporating the tweak into the permutation layer, and provide good multi-user security. As an application, our construction can turn two public n-bit permuta- tions (or fixed-key block ciphers) into a tweakable block cipher working on wn-bit inputs, 6n-bit key and an n-bit tweak (for any w ≥ 2); the tweakable block cipher provides security up to 22n/3 adversarial queries in the random permutation model, while only requiring w calls to each permutation, and 3w field multiplications for each wn-bit input.

Keywords: substitution-permutation networks, tweakable block ciphers, domain extension of block ciphers, beyond-birthday-bound security

∗ c IACR 2018. This article is the final version submitted by the author(s) to the IACR and to Springer-Verlag on 2018-06-10. The version published by Springer-Verlag is available at 10.1007/978-3-319-96884-1_24 1 Introduction

Substitution-Permutation Networks. Modern block ciphers are gener- ally constructed using two main paradigms [KL15]: Feistel networks [Fei73] or substitution-permutation networks (SPNs) [Sha49, Fei73]. Examples of block ciphers based on Feistel networks include DES, FEAL, MISTY and KASUMI; block ciphers based on SPNs include AES, Serpent, and PRESENT. These two approaches share the same goal: namely, to extend a “pseudorandom object” on a small domain to a (keyed) pseudorandom permutation on a larger domain by repeating a few, relatively simple operations several times across multiple rounds. Simplifying somewhat, Feistel networks begin with a keyed pseudoran- dom function on n-bit inputs and extend this to give a keyed pseudorandom permutation on 2n-bit inputs. On the other hand, SPNs start with one or more public “random permutations” on n-bit inputs (called S-boxes) and extend them to give a keyed pseudorandom permutation on wn-bit inputs for some w, by iterating the following steps:

1. Substitution step: break down the wn-bit state into w disjoint n-bit blocks, and compute an S-box on each n-bit block; 2. Permutation step: apply a non-cryptographic, keyed permutation to the whole wn-bit state (which is also applied to the plaintext before the first round).

Proving the security of a concrete block cipher unconditionally is currently beyond our capabilities. Thus, the usual approach is to prove that the high- level structure is sound in a relevant security model. For Feistel networks, a substantial line of work, starting with Luby and Rackoff’s seminal work [LR88], and culminating with Patarin’s results [Pat03, Pat04], proves optimal security with a sufficient number of rounds. Numerous other articles [Pat10, HR10, HKT11, Tes14, CHK+16] study the security of (variants of) Feistel networks in various security models. In contrast, it is somewhat surprising that there are almost no results about provable security of SPNs (see below.) Here, we address this gap and explore conditions under which SPNs can be proven secure.

Domain Extension of Block Ciphers. Block ciphers following the SPNs typically rely on very small S-boxes (e.g. AES uses an 8-bit S-box). However, it is also possible to use a larger domain block cipher with a fixed key (which has non-trivial efficiency gains and avoid related key attacks) as “S-box” in order to extend the domain of the underlying block cipher, or to use a larger dedicated permutation (e.g., Keccak permutation [BDPA09] or with Gimli [BKL+17]), in order to directly obtain a “wide” block cipher. From this point of view, the substitution-permutation networks can also be viewed as enciphering modes of operation (of a fixed input length), in which the length n of the S-box is not necessarily small. Such enciphering modes of operations have applications to disk encryption that protects the confidentiality of data stored on a sector-addressable device, such as a hard disk. In this scenario, the disk is divided into several sectors, and each sector, viewed as a wide block, should be encrypted and decrypted

2 independently of each other. Non-linear 1-round SPNs with secret S-boxes have already been used to provide domain extension for block ciphers [CS06, Hal07]. These constructions provide the birthday bound security, while this level of security might not be desirable for an environment where stronger security is required. One of our results will address this limitation.

1.1 Our Contribution

We analyze SPNs in the standard sense as a strong pseudorandom permuta- tion [LR88] (i.e., against adaptive chosen-plaintext and chosen-ciphertext attacks).

Linear SPNs. We first characterize the security of linear SPNs, where the permutation layer is a linear function (over GF (2n), where n is the size of the S-box) of the current wn-bit round key and the current wn-bit state. Indeed, most current SPN-based block ciphers (e.g., AES, Serpent, PRESENT, etc.) use linear permutation step, which involves a simple key-mixing step followed by an invertible linear transformation. For this widely used setting we give a general against any 2-round linear SPNs with w ≥ 2.8 Complementing this attack, we show that a 3-round linear SPNs are secure, for any w, if the keyed linear permutations satisfy some very mild technical requirements. This result critically uses the H-coefficients technique [Pat08, CS14].

Non-Linear SPNs. In an effort to reduce the number of rounds (and get other benefits we explain below), we then turn our attention to non-linear SPNs, where the permutation step does not have to be linear (although must remain efficient and “non-cryptographic”). Here we show that even a 1-round SPN can be secure, if appropriate keyed permutations are used. We identify a combinatorial property on the permutations — which we term blockwise universality — that suffices for security in this case, and then study the efficiency of constructing permutations satisfying this property. Specifically, we show a construction of a satisfactory permutation with n-bit keys (but having high degree), and another construction with longer keys but having degree 3. We then show that, by using such blockwise independent permutations, the security of resulting SPNs increases when we increase the number of rounds: while 1 round already achieves “birthday security”, as our main technical result we show that 2-round non-linear SPNs (with independent S-boxes and keys in different rounds) achieves “beyond-birthday” security (for up to 22n/3 queries). This result uses the refinement of the H-coefficient technique due to [HT16]. We also give an asymptotic analysis of non-linear SPNs built from blockwise universal permutations using the coupling technique of [MRS09, HR10]. In particular, for r = 2s we prove that r-round SPNs are secure as long as the number of adversarial queries is well below 2sn/(s+1). Thus, as r grows, our bounds tend towards optimal 2n security.

8Even a 1-round linear SPN can be secure if w = 1, since this corresponds to the famous Even-Mansour cipher [EM97].

3 As an additional benefit of this setting, we show that the blockwise universal permutations can be efficiently tweaked, meaning that our non-linear SPN con- structions yield tweakable block ciphers [LRW11], which is important for some settings. Finally, we analyze our non-linear SPNs in the multi-user setting using the point-wise proximity technique of [HT16].

Application to Wide Tweakable Block Ciphers. Besides providing theoretical insights on SPN-based block ciphers, our results also have a practical interest in the context of domain extension for block ciphers and permutation- based cryptography. For example, if our construction is instantiated with two n-bit permutations and a tweakable permutation TBPE in the permutation layer (as defined in Section 2.2), then we can build a wide tweakable block cipher with key space {0, 1}6n, tweak space {0, 1}n and message space {0, 1}wn for any integer w ≥ 2. This tweakable block cipher requires w calls to each permutation and 3w field multiplications for each encryption/decryption call. The multi-user advantage of any adversary is shown to be small as long as the number of its queries is well below 22n/3. This means that a 192 bit (resp. 384 bit) permutation or block cipher is sufficient to get a provably secure mode of operation as long as the number of adversarial queries is small in front of 2128 (resp. 2256). As far as we know, this is the first construction for domain extension of a block cipher/permutation that enjoys beyond birthday-bound security. Of course, to instantiate this construction we would need a good public permutation with large domain size n. As mentioned earlier, we could either use a larger domain block cipher with a fixed key, or use a larger dedicated permutation on larger domain, such as Keccak permutation [BDPA09] or Gimli [BKL+17].

Open Problems. We conjecture that r-round non-linear SPNs should actually be enough to prove security up to O(2rn/(r+1)) adversarial queries. Proving it using combinatorial techniques seems very challenging and we leave it as an interesting open problem. It is also interesting if we can prove beyond-birthday security bounds for linear SPNs (with 3 or more rounds), as these SPNs appear to be the ones used in practice. More generally, it would be great to prove tight security bounds and matching attacks for r-round linear and non-linear SPNs.

Implications for small block size. While our results are directly meaningful when the length n of public S-boxes in at least security parameter (e.g., for building wide tweakable block ciphers), our bounds are too weak for regular SPN-based ciphers, such as AES, which use very low values of n for their S-boxes. This “2n provable barrier” is inherent using our current modeling, where the S-box of size 2n is providing the only source of cryptographic hardness. More generally, establishing a sound theory of building block ciphers from small S-boxes is one of the biggest and most important open problems in symmetric-key cryptography. We hope that our structural results for reduced-round SPN ciphers will be useful in establishing such theory, despite not crossing the fundamental “2n barrier” mentioned above.

4 1.2 Related Work

There are only a few prior papers looking at provable security of SPNs. The vast majority of such work analyzes the case of secret, key-dependent S-boxes (rather than public S-boxes as we consider here), and so we survey that work first.

SPNs with secret S-boxes. Naor and Reingold [NR99] prove security for what can be viewed as a non-linear, 1-round SPN. Their ideas were further developed, in the context of domain extension for block ciphers (see further discussion below), by Chakraborty and Sarkar [CS06] and Halevi [Hal07]. Iwata and Kurosawa [IK00] analyze SPNs in which the linear permutation step is based on the specific permutations used in the block cipher Serpent. They show an attack against 2-round SPNs of this form, and prove security for 3-round SPNs against non-adaptive adversaries. In addition to the fact that we consider public S-boxes, our linear SPN model considers generic linear permutations and we prove security against adaptive attackers. Miles and Viola [MV15] study SPNs from a complexity-theoretic viewpoint. Two of their results are relevant here. First, they analyze the security of linear SPNs using S-boxes that are not necessarily injective (so the resulting keyed functions are not, in general, invertible). They show that r-round SPNs of this type (for r ≥ 2) are secure against chosen-plaintext attacks. (In contrast, our results show that 2-round, linear SPNs are not secure against a combination of chosen-plaintext and chosen-ciphertext attacks when w ≥ 2.) They also analyze SPNs based on a concrete set of S-boxes, but in this case they only show security against linear/differential attacks (a form of chosen-plaintext attack), rather than all possible attacks, and only when the number of rounds is r = Θ(log n).

SPNs with public S-boxes. A difference between our work and all the work discussed above is that we treat the S-boxes as public. We are aware of only one prior work analyzing the provable security of SPNs in this setting. Dodis et al. [DSSL16] recently studied the indifferentiability [MRH04] of confusion- diffusion networks, which can be viewed as unkeyed SPNs. One could translate their results to the keyed setting, but that would require using multiple, key- dependent S-boxes (rather than a fixed, public S-box) and so would not imply our results. We remark further that they show positive results only for 5 rounds and above. As observed earlier, the Even-Mansour construction [EM97] of a (keyed) pseudorandom permutation from a public random permutation can be viewed as a 1-round, linear SPN in the degenerate case where w = 1 (i.e., no domain extension) and all round permutations are instantiated using simple key mixing. Security of the 1-round Even-Mansour construction against adaptive chosen- plaintext/ciphertext attacks, using independent keys for the initial and final key mixing, was shown in the original paper [EM97]. Our positive results imply security of the 1-round Even-Mansour construction (with similar concrete security bounds) as a special case. The r-round generalization of the Even-Mansour cipher has seen a lot of interest over the years, culminating with [CS14, HT16] where it

5 was proved that the r-round Even-Mansour construction is secure up to roughly 2rn/(r+1) adversarial queries, when the public S-boxes are uniformly random and independent permutations and the round keys are independent. Chen et al. [CLL+14] also proved that several minimized variants of the 2-round Even- Mansour construction are also secure up to roughly 22n/3 adversarial queries. None of these results extend to the setting w > 1 considered in this work.

Cryptanalysis of SPNs. Researchers have also explored cryptanalytic attacks on generic SPNs [BS10, BBK14, DDKL, BK]. These works generally consider a model of SPNs in which round permutations are secret, random (invertible) linear transformations, and S-boxes may be secret as well; this makes the attacks stronger but positive results weaker. In many cases the complexities of the attacks are exponential in n (though still faster than a brute-force search for the key), and hence do not rule out asymptotic security results. On the positive side, Biryukov et al. [BBK14] show that 2-round SPNs (of the stronger form just mentioned) are secure against some specific types of attacks, but other attacks on such schemes have recently been identified [DDKL].

Attacks. Attacks due to Joux [Jou03] and to Halevi and Rogaway [HR04], originally developed in the afore-mentioned context of block cipher domain exten- sion (or more exactly, in the construction of tweakable block ciphers with large domains from standard block ciphers with “small” domains) can be translated to the context of linear SPNs as well. Specifically, these attacks imply that linear 2-round SPNs of width w ≥ 2 are insecure, as long as the underlying field has characteristic 2.9

Domain extension of block ciphers. Non-linear, 1-round SPNs with secret S-boxes have been used for domain extension of block ciphers before [CS06, Hal07]. Other approaches for domain extension, not relying on (pure) SPNs, have also been considered [BD99, HR03, HR04, MF07, CDMS10]. To the best of our knowledge, none of these results achieve beyond-birthday security.

Random Permutation Based Tweakable Block Ciphers. Our tweak- able SPNs can be viewed as tweakable block ciphers based on public random permutations. It is easy to see that T :(h, t, x) 7→ x ⊕ h(t) is (δ, δ0)-blockwise universal (as defined in Section2) if h is chosen from a δ0-almost uniform and δ-almost XOR-universal hash family. So with this permutation layer (and with w = 1), we obtain the security bound for the Tweakable Even-Mansour con- structions [CLS15] in the multi-user setting. In this line of research, a number of efficient constructions have been proposed [GJMN16, Men16].

9Indeed, a technical difference with the attack presented here is that our attack does not require a finite field of characteristic 2. Because of this difference, our attack ends up having little (if anything) in common with the attacks of Joux and Halevi-Rogaway.

6 2 Preliminaries

Throughout this work, we fix positive integers w and n; an element x in {0, 1}wn can be viewed as a concatenation of w blocks, each of which is of length n. The i-th block of this representation will be denoted xi for i = 1, . . . , w, so we have

x = x1||x2|| · · · ||xw,

sometimes written as x = (x1, . . . , xw). For a set R and an integer s ≥ 1, R∗s denotes the set of all sequences that consists of s pairwise distinct elements of R. For any integer r such that r ≥ s, ∗s we will write (r)s = r!/(r − s)!. If |R| = r, then (r)s becomes the size of R . The sets of non-negative integers and non-negative real numbers are denoted N and R≥0, respectively. The following inequality will be used in our security proof. Lemma 1. Let m be an integer and let x be a real number such that m ≥ 2 and 1 −1 ≤ x < m−1 . Then one has mx (1 + x)m ≤ 1 + . 1 − (m − 1)x

2.1 Tweakable Substitution-Permutation Networks

All the notions below are defined for the general tweak set T ; however, the standard “non-tweakable” setting is a special case of the definitions below when |T | = 1. Tweakable Permutations. For an integer m ≥ 1, the set of all permutations on {0, 1}m will be denoted Perm(m). A tweakable permutation with tweak space T and message space X is a mapping Pe : T × X → X such that, for any tweak t ∈ T , x 7→ Pe(t, x) is a permutation of X . The set of all tweakable permutations with tweak space T and message space {0, 1}m will be denoted Perm] (T , m). A keyed tweakable permutation with key space K, tweak space T and message space X is a mapping T : K × T × X → X such that, for any key k ∈ K,

(t, x) 7→ T (k, t, x)

is a tweakable permutation with tweak space T and message space X . We will sometimes write T (k, t, x) as Tk(t, x) or Tk,t(x). For an integer s ≥ 1, s ∗s let t = (t1, . . . , ts) ∈ T , and let x = (x1, . . . , xs) ∈ (X ) . We will write (T (k, ti, xi))1≤i≤s as Tk(t, x) or Tk,t(x). Tweakable SPNs. For fixed parameters w and n, let

T : K × T × {0, 1}wn −→ {0, 1}wn

7 t

x1 S1 S2 y1

x2 S1 S2 y2

Tk0 Tk1 Tk2

x3 S1 S2 y3

x4 S1 S2 y4

Fig. 1. A 2-round tweakable SPN with w = 4. The input and output blocks of the SPN are represented as x = x1||x2||x3||x4 and y = y1||y2||y3||y4, respectively.

be a keyed tweakable permutation with key space K, tweak space T and message space {0, 1}wn. For a fixed number of rounds r, an r-round substitution-permutation net- work (SPN) based on T , denoted SPT , takes as input a set of n-bit permutations T S = (S1,...,Sr), and defines a keyed tweakable permutation SP [S] operating on wn-bit blocks with key space Kr+1 and tweak space T : on input x ∈ {0, 1}wn, key r+1 T k = (k0, k1, . . . , kr) ∈ K and tweak t ∈ T , the output of SP [S] is computed as follows (see also Fig.1). y ← x for i ← 1 to r do

y ← Tki−1,t(y) Break y = y1|| · · · ||yw into n-bit blocks y ← Si(y1)|| · · · ||Si(yw)

y ← Tkr ,t(y) return y Remark 1. Both of the permutation layer T and the entire construction SPT can be viewed as keyed tweakable permutations. However, T will typically be built upon non-cryptographic operations such as filed multiplications, while SPT are based on S-boxes which are modeled as public random permutations.

Blockwise Universal Tweakable Permutations. A keyed tweakable per- mutation T : K × T × {0, 1}wn −→ {0, 1}wn is called (δ, δ0)-blockwise universal if the following hold. 1. For all distinct (t, x, i), (t0, x0, i0) ∈ T × {0, 1}wn × {1, . . . , w}, we have

h $ 0 i Pr k ← K : Tk,t(x)i = Tk,t0 (x )i0 ≤ δ.

8 2. For all (t, x, i, c) ∈ T × {0, 1}wn × {1, . . . , w} × {0, 1}n, we have

h $ i 0 Pr k ← K : Tk,t(x)i = c ≤ δ .

Since each pair of key k ∈ K and tweak t ∈ T defines a permutation Tk,t on {0, 1}wn, one can define a keyed tweakable permutation

T −1 : K × T × {0, 1}wn −→ {0, 1}wn

−1 −1 −1 0 such that T (k, t, x) = (Tk,t) (x). If T and T are both (δ, δ )-blockwise universal, then T is called (δ, δ0)-super blockwise universal.

2.2 An Efficient Super Blockwise Tweakable Universal Permutation In this section, we show that an efficient xor-blockwise universal construction, dubbed BPE, proposed by Halevi [Hal07] can be made tweakable with a slight modification. Other constructions of (tweakable) blockwise universal permutations can be found in [DKS+17] some of which support tweaks. We present BPE below and will present the remaining constructions in the full version. Assuming 2n ≥ w + 3, let F denote a finite field with 2n elements. For each def k ∈ F, define a w × w matrix over F, Mk = Ak + I, where I is the identity matrix and k k2 kw k k2 kw A =   . k  ..   .  k k2 kw j Precisely, (Ak)i,j = k for 1 ≤ i, j ≤ w. Let z be a primitive element of F, and let

( w ) X i K = k ∈ F : k 6= 0 × F. i=0 Then BPE is defined as follows.

BPE : K × {0, 1}wn −→ {0, 1}wn 0 ((k, k ), x) 7−→ Mkx ⊕ ak0 , where we identify x ∈ {0, 1}wn with a w-dimensional column vector over F, and  k0   zk0  a 0 =   . k  .   .  zw−1k0

Pw i It is easy to check that Mk is invertible if i=0 k 6= 0; precisely, A M −1 = I ⊕ k , k k∗

9 ∗ def Pw i 0 where k = i=0 k . For any (k, k ) ∈ K, BPEk,k0 is also invertible with −1 −1 BPEk,k0 (x) = Mk (x ⊕ ak0 ) for any x ∈ {0, 1}wn. Halevi [Hal07] also proved that for any pair of distinct (x, i), (x0, i0) ∈ {0, 1}wn × {1, . . . , w} and ∆ ∈ {0, 1}n,

h 0 $ 0 i w Pr (k, k ) ← K : BPE 0 (x) ⊕ BPE 0 (x ) 0 = ∆ ≤ , k,k i k,k i 2n − w h 0 $ −1 −1 0 i w Pr (k, k ) ← K : BPE 0 (x) ⊕ BPE 0 (x ) 0 = ∆ ≤ . (1) k,k i k,k i 2n − w wn n For a fixed (x, i, c) ∈ {0, 1} × {1, . . . , w} × {0, 1} , BPEk,k0 (x)i = c implies that w X j i−1 0 xjk ⊕ xi ⊕ z k = c, j=1 1 0 which holds with probability 2n over a random choice of (k, k ) ∈ K. On the −1 other hand, BPEk,k0 (x)i = c implies that

 w   w  1 X 1 X zi−1 ⊕ zj−1kj k0 ⊕ c ⊕ x ⊕ x kj = 0.  k∗   i k∗ j  j=1 j=1

w 1 This equation holds with probability at most 2n−w + 2n . To summarize, we have

h 0 $ i 1 Pr (k, k ) ← K : BPE 0 (x) = c ≤ , k,k i 2n h 0 $ −1 i w + 1 Pr (k, k ) ← K : BPE 0 (x) = c ≤ . (2) k,k i 2n − w Now we define a tweakable variant of BPE, dubbed TBPE (for Tweakable Blockwise Polynomial-Evaluation), with tweak space T = {0, 1}n as follows.

TBPE : K × T × {0, 1}wn −→ {0, 1}wn 0 ((k, k ), t, x) 7−→ Mk(x ⊕ bt) ⊕ ak0 ⊕ bt,

where bt is the column vector whose entries are all t, namely, t t b =   . t . . t

Since each pair of key (k, k0) ∈ K and tweak t ∈ T defines a permutation wn TBPEk,k0,t on {0, 1} , one can define a keyed tweakable permutation TBPE−1 : K × T × {0, 1}wn −→ {0, 1}wn.

Then we can prove the following lemma.

10 Lemma 2. Let TBPE be the keyed tweakable permutation as defined above, and let TBPE−1 be its inverse. 1. For all distinct (t, x, i), (t0, x0, i0) ∈ T × {0, 1}wn × {1, . . . , w}, we have

h 0 $ 0 i w Pr (k, k ) ← K : TBPE 0 (x) = TBPE 0 0 (x ) 0 ≤ . k,k ,t i k,k ,t i 2n − w 2. For all (t, x, i, c) ∈ T × {0, 1}wn × {1, . . . , w} × {0, 1}n, we have

h 0 $ i 1 Pr (k, k ) ← K : TBPE 0 (x) = c ≤ . k,k ,t i 2n 3. For all distinct (t, x, i), (t0, x0, i0) ∈ T × {0, 1}wn × {1, . . . , w}, we have

h 0 $ −1 −1 0 i w Pr (k, k ) ← K : TBPE 0 (x) = TBPE 0 0 (x ) 0 ≤ . k,k ,t i k,k ,t i 2n − w 4. For all (t, x, i, c) ∈ T × {0, 1}wn × {1, . . . , w} × {0, 1}n, we have

h 0 $ −1 i w + 1 Pr (k, k ) ← K : TBPE 0 (x) = c ≤ . k,k ,t i 2n − w Proof. For distinct (t, x, i) and (t0, x0, i0), we have

0 0 0 TBPEk,k0,t(x)i ⊕ TBPEk,k0,t0 (x )i0 = BPEk,k0 (x ⊕ bt)i ⊕ BPEk,k0 (x ⊕ bt0 )i0 ⊕ t ⊕ t .

0 0 0 0 If (x ⊕ bt, i) 6= (x ⊕ bt0 , i ), then BPEk,k0 (x ⊕ bt)i ⊕ BPEk,k0 (x ⊕ bt0 )i0 ⊕ t ⊕ t = 0 w 0 0 with probability at most 2n−w by (1). If (x ⊕ bt, i) = (x ⊕ bt0 , i ), then it implies 0 0 0 0 t 6= t , and hence BPEk,k0 (x ⊕ bt)i ⊕ BPEk,k0 (x ⊕ bt0 )i0 ⊕ t ⊕ t = t ⊕ t 6= 0. For a fixed (t, x, i, c), TBPEk,k0,t(x)i = c if and only if BPEk,k0 (x⊕bt)i = c⊕t, 1 and this equation holds with probability at most 2n . The remaining properties are proved similarly. ut

 w w+1  From Lemma2, it follows that TBPE is 2n−w , 2n−w -super blockwise univer- sal. Except constant multiplications zik0, i = 1, . . . , w − 1, (which also can be precomputed), each evaluation of TBPEk,k0,t(x) requires w field multiplications.

2.3 Indistinguishability in the Multi-user Setting

T Let SP [S] be an r-round SPN based on a set of S-boxes S = (S1,...,Sr) and a keyed tweakable permutation T with key space K and tweak space T . So SPT [S] becomes a keyed tweakable permutation on {0, 1}wn with key space Kr+1 and tweak space T . In the multi-user setting, let ` denote the number of users. In the real r+1 world, ` secret keys k1,... k` ∈ K are chosen independently at random. A set of independent S-boxes S = (S1,...,Sr) is also randomly chosen from Perm(n)r. A distinguisher D is given oracle access to (SPT [S],..., SPT [S]) as k1 k` well as S = (S1,...,Sr). In the ideal world, D is given a set of independent

11 ` random tweakable permutations Pe = (Pe1,..., Pe`) ∈ Perm] (T , wn) instead of (SPT [S],..., SPT [S]). However, oracle access to S = (S ,...,S ) is still allowed k1 k` 1 r in this world. The adversarial goal is to tell apart the two worlds (SPT [S],..., SPT [S], S) k1 k` and (Pe1,..., Pe`, S) by adaptively making forward and backward queries to each of the constructions and the S-boxes. Formally, D’s distinguishing advantage is defined by

h $ $ i mu r S,P1,...,P` AdvSPT (D) = Pr Pe1,..., Pe` ← Perm] (T , wn), S ← Perm(n) : 1 ← D e e

h $ $ T T i r+1 r S,SPk [S],...,SPk [S] − Pr k1,..., k` ← K , S ← Perm(n) : 1 ← D 1 ` .

For p, q > 0, we define

AdvSPT (p, q) = max AdvSPT (D) D where the maximum is taken over all adversaries D making at most p queries to each of the S-boxes and at most q queries to the outer tweakable permutations. mu mu In the single-user setting with ` = 1, AdvSPT (D) and AdvSPT (p, q) will also be su su written as AdvSPT (D) and AdvSPT (p, q), respectively. H-coefficient Technique. Suppose that a distinguisher D makes p queries to each of the S-boxes, and total q queries to the construction oracles. The queries made to the j-th construction oracle, denoted Cj, are recorded in a query history

QCj = (j, tj,i, xj,i, yj,i)1≤i≤qj

for j = 1, . . . , `, where qj is the number of queries made to Cj and (j, tj,i, xj,i, yj,i) 10 represents the evaluation obtained by the i-th query to Cj. So according to the instantiation, it implies either SPT [S](t , x ) = y or P (t , x ) = y . Let kj j,i j,i j,i ej j,i j,i j,i

QC = QC1 ∪ · · · ∪ QC` .

For j = 1, . . . , r, the queries made to Sj are recorded in a query history

QSj = (j, uj,i, vj,i)1≤i≤p,

where (j, uj,i, vj,i) represents the evaluation Sj(uj,i) = vj,i obtained by the i-th query to Sj. Let

QS = QS1 ∪ · · · ∪ QSr . Then the pair of query histories

τ = (QC , QS)

will be called the transcript of the attack: it contains all the information that D has obtained at the end of the attack. In this work, we will only consider

10The index j in a construction query can be dropped out in the single-user setting.

12 information theoretic distinguishers. Therefore we can assume that a distinguisher is deterministic without making any redundant query, and hence the output of D can be regarded as a function of τ, denoted D(τ) or D(QC , QS). r+1 Fix a transcript τ = (QC , QS), a key k ∈ K , a tweakable permutation r Pe ∈ Perm] (T , wn), a set of S-boxes S = (S1,...,Sr) ∈ Perm(n) and j ∈ {1, . . . , `}: if Sj(uj,i) = vj,i for every i = 1, . . . , p, then we will write Sj `

QSj . We will write S ` QS if Sj ` QSj for every j = 1, . . . , r. Similarly, if T SPk [S](tj,i, xj,i) = yj,i (resp. Pe(tj,i, xj,i) = yj,i) for every i = 1, . . . , qj, then we T will write SPk [S] ` QCj (resp. Pe ` QCj ). Let k ,..., k ∈ Kr+1 and P = (P ,... P ) ∈ Perm] (T , wn)`. If SPT [S] ` 1 ` e e1 e` kj Q (resp. P ` Q ) for every j = 1, . . . , `, then we will write (SPT [S]) ` Cj ej Cj kj j=1,...,` QC (resp. Pe ` QC ). If there exist Pe ∈ Perm] (T , wn)` and S ∈ Perm(n)w that outputs τ at the end of the interaction with D, then we will call the transcript τ attainable. So ` for any attainable transcript τ = (QC , QS), there exist Pe ∈ Perm] (T , wn) and w S ∈ Perm(n) such that Pe ` QC and S ` QS. For an attainable transcript τ = (QC , QS), let

  $ ` $ r p1(QC |QS) = Pr Pe ← Perm] (T , wn) , S ← Perm(n) : Pe ` QC |S ` QS ,   $ r+1 $ r T p2(QC |QS) = Pr k1,..., k` ← K , S ← Perm(n) :(SPk [S])j ` QC |S ` QS . j

With these definitions, the following lemma, the core of the H-coefficients tech- nique (without defining “bad” transcripts), will be also used in our security proof.

Lemma 3. Let ε > 0. Suppose that for any attainable transcript τ = (QC , QS),

p2(QC |QS) ≥ (1 − ε)p1(QC |QS). (3)

Then one has mu AdvSPT (D) ≤ ε.

The lower bound (3) is called ε-point-wise proximity of the transcript τ = (QC , QS). The point-wise proximity of a transcript in the multi-user setting is

guaranteed by the point-wise proximity of (QCj , QS) for each j = 1, . . . , ` in the single-user setting. The following lemma is a restatement of Lemma 3 in [HT16].

Lemma 4. Let ε : N × N → R≥0 be a function such that

1. ε(x, y) + ε(x, z) ≤ ε(x, y + z) for every x, y, z ∈ N, 2. ε(·, z) and ε(z, ·) are non-decreasing functions on N for every z ∈ N.

13 Suppose that for any distinguisher D in the single-user setting that makes p primitive queries to each of the underlying S-boxes and makes q construction queries, and for any attainable transcript τ = (QC , QS) obtained by D, one has

p2(QC |QS) ≥ (1 − ε(p, q))p1(QC |QS). Then for any distinguisher D in the multi-user setting that makes p primitive queries to each of the underlying S-boxes and makes total q construction queries, and for any attainable transcript τ = (QC , QS) obtained by D, one has

p2(QC |QS) ≥ (1 − ε(p + wq, q))p1(QC |QS).

2.4 Coupling Technique Given a finite event space Ω and two probability distributions µ and ν defined on Ω, the total variation distance between µ and ν, denoted kµ − νk, is defined as 1 X kµ − νk = |µ(x) − ν(x)|. 2 x∈Ω The following definitions are also all equivalent.

kµ − νk = max{µ(Z) − ν(Z)} = max{ν(Z) − µ(Z)} = max{|µ(Z) − ν(Z)|}. Z⊂Ω Z⊂Ω Z⊂Ω A coupling of µ and ν is a distribution τ on Ω × Ω such that for all x ∈ Ω, P P y∈Ω τ(x, y) = µ(x) and for all y ∈ Ω, x∈Ω τ(x, y) = ν(x). In other words, τ is a joint distribution whose marginal distributions are respectively µ and ν. We will use the following two lemmas in our security proof. Lemma 5. Let µ and ν be probability distributions on a finite event space Ω, let τ be a coupling of µ and ν, and let (X,Y ) be a random variable sampled according to distribution τ. Then kµ − νk ≤ Pr[X 6= Y ]. Lemma 6. Let Ω be some finite event space and ν be the uniform probability distribution on Ω. Let µ be a probability distribution on Ω such that kµ − νk ≤ ε. Then there is a set Z ⊂ Ω such that √ 1. |Z| ≥ (1 − √ε)|Ω|, 2. µ(x) ≥ (1 − ε)ν(x) for every x ∈ Z. We refer to [LPS12] for the proof of the above two lemmas.

3 Security of Linear SPNs

All the results in this section are for the “non-tweakable” setting (|T | = 1) Hence, we do not explicitly refer to the tweak in the notation. Further, the results in this section hold even when a single n-bit permutation S is used, i.e., even when S1 = ... = Sr = S and are presented as such. We start by defining linear (non-tweakable) SPNs.

14 Definition 1. Keyed permutation T : K × {0, 1}wn −→ {0, 1}wn is linear if

T (k, x) = (Tk · k) + (Tx · x) + ∆,

wn where Tk,Tx ∈ K × {0, 1} are linear transformations, Tx is invertible, and wn r ∆ ∈ {0, 1} . An SPN is linear if all its round permutations {Tki }i=0 are linear. We present an attack showing that 2-round, linear SPNs cannot be secure for w ≥ 2. The attack is based on one shown by Halevi and Rogaway [HR04] in a different context (and is a simple application of the boomerang technique [Wag99]); our contribution here is to observe that the attack is applicable to any 2-round, linear SPN. The attack relies on the fact that the field F = GF(2n) is of characteristic 2. This attack and an attack that works for fields of arbitrary characteristic can be found in [DKS+17].

3.1 Security of 3-Round, Linear (non-tweakable) SPNs We now explore conditions under which 3-round, linear SPNs are secure. Recall 3 that a 3-round SPN has four round permutations {Ti}i=0, and without loss of generality we may assume ( x ⊕ ki i ∈ {0, 3} Ti(ki, x) = 0 , (4) Ti · (x ⊕ ki) i ∈ {1, 2}

0 0 w×w where T1,T2 ∈ F are invertible linear transformations. We prove that a 0 0−1 3-round, linear SPN is secure so long as (i) T1 and T 2 contain no zero entries (Miles and Viola [MV15] show that matrices with maximal branch number [Dae95] satisfy this property), and (ii) round keys k0 and k3 are (individually) uniform. The proof of this theorem can be found in [DKS+17]. Theorem 1. Assume w > 1. Let SPT be a 3-round, linear (non-tweakable) SPN with round permutations as in (4) and with distribution K over keys k0, k1, k2, k3. 0 0−1 If k0 and k3 are uniformly distributed and the matrices T1, T 2 contain no zero entries, then 2 2 2 su 5w q + 4wpq q Adv T (p, q) ≤ + . SP 2n − p − 2w 2wn

A minimal secure (linear) SPN. We proved that a 3-round, linear SPN is 0 0−1 secure if the keys k0 and k3 are individually uniform and T1,T 2 contain no 0-entries. No assumptions were made about independence of k0, k3, nor were any assumptions made about the distributions of k1, k2. So the theorem implies security for the following “minimal” 3-round, linear SPN: Let k0 = k3 = k, where wn 0 0−1 k is uniform, set k1 = k2 = 0 , and let T1 = T2 = T be invertible with no 0-entries. Define keyed permutations  x ⊕ k i ∈ {0, 3}  0 πi(k, x) = T x i = 1 (5) T 0−1x i = 2.

15 We have:

Corollary 1. Assume w > 1. Let SPT be a 3-round, linear SPN with round wn permutations as in (5) and K choosing uniform k0 = k3 and k1 = k2 = 0 . Then

2 2 2 su 5w q + 4wpq q Adv T (p, q) ≤ + . SP 2n − p − 2w 2wn

Reducing key-length. It is in fact sufficient for the wn-bit key k (= k0 = k3) in Corollary1 to satisfy the following conditions: informally, for any n-bit constant c and distinct indices i, i0, (a) k[i] equals c with negligible probability, and (b) the sum of k[i] and k[i0] equals c with negligible probability. This can be achieved by 0 0 choosing a uniform n-bit key k and letting k[i] = ai · k where ai are distinct non-zero elements of F. Thus, one can make do with a “master key” of only n bits, while preserving the same security as in Corollary1.

4 Security of Non-Linear SPNs

In this section, we first show that keyed tweakable blockwise universal permu- tations help construct (non-linear) tweakable SPNs. As a preliminary step, we show that 1 round is sufficient to obtain this result. However, the security of the SPN is only up to the birthday attack in this case. Towards obtaining a better security bound, we show that 2 rounds suffice to go beyond the birthday bound and in addition, also present multi-user security beyond the birthday bound for the 2-round tweakable SPN. Finally, we we show that if T is a super blockwise tweakable universal permutation, then the security of SPT converges to 2n as the number of rounds r increases.

4.1 Birthday Security of 1-Round SPNs

We show that a tweakable blockwise-universal permutation is useful in construct- ing non-linear tweakable SPNs. The proof of the theorem is a straightforward extension of the non-tweakable version found in [DKS+17]. Consider the 1-round SPN SPT with T := T −1 where T is a keyed blockwise universal tweakable k1 k0 permutation.

Theorem 2. Let T be a (δ, δ0)-blockwise universal tweakable permutation. Then su 2 2 0 for any integers p and q, one has AdvSPT (p, q) ≤ q w δ + pqwδ .

4.2 Beyond-Birthday Security of 2-Round SPNs

In this section, we will prove the following theorem.

16 Theorem 3. Let δ, δ0 > 0, and let n and w be positive integers such that w ≥ 2. Let T be a (δ, δ0)-super blockwise universal tweakable permutation. Then for any integers p and q such that wp + 3w2q < 2n/2, one has

2 2 2 su 2 0 0 0 q q(2wp + 6w q) Adv T (p, q) ≤ w q(δ p + δwq)(3δ p + 3δwq + 2δ wq) + + , SP 2wn 22n mu 2 0 0 0 0 AdvSPT (p, q) ≤ w q(δ p + (δ + δ )wq)(3δ p + 3δwq + 5δ wq) q2 q(2wp + 8w2q)2 + + . 2wn 22n Remark 2. For the sake of simplicity, we assume that the three keyed layers are actually the same, which is why we require T to be (δ, δ0)-super blockwise tweakable universal. However, if one looks closely at the proof, only the middle layer has to be super-blockwise-universal. The first and the last layer only need to be (δ, δ0)-blockwise universal.

Remark 3. When the S-boxes are modeled as block ciphers using secret keys, the security bound (in the standard model) is obtained by setting p = 0.

The proof of Theorem3 relies on the following lemma (with the lower bound simplified) and on Lemma3 and Lemma4.

Lemma 7. Let p and q be positive integers such that wp + 3w2q < 2n/2, and let D be a distinguisher in the single-user setting that makes p primitive queries to each of S1 and S2 and makes q construction queries. Then for any attainable transcript τ = (QC , QS), one has

2 2 2 p2(QC |QS) 2 0 0 0 q q(2wp + 6w q) ≥ 1−w q(δ p+δwq)(3δ p+3δwq +2δ wq)− wn − 2n . p1(QC |QS) 2 2

Outline of Proof of Lemma7. Throughout the proof, we will write a 2-round SP construction as

T  ||   ||  SP [S]k(t, x) = Tk2,t S2 Tk1,t S1 (Tk0,t(x)) ,

n where S = (S1,S2) is a pair of two public random permutations of {0, 1} , 3 wn k = (k0, k1, k2) ∈ K is the key, x ∈ {0, 1} is the plaintext, and, for i = 1, 2,

|| wn wn Si : {0, 1} → {0, 1} x = x1||x2|| ... ||xw 7−→ Si(x1)||Si(x2)|| ... ||Si(xw).

We also fix a distinguisher D as described in the statement and fix an attainable transcript τ = (QC , QS) obtained by D. Let

Q(0) = {(u, v) ∈ {0, 1}n × {0, 1}n : (1, u, v) ∈ Q }, S1 S Q(0) = {(u, v) ∈ {0, 1}n × {0, 1}n : (2, u, v) ∈ Q } S2 S

17 and let

U (0) = {u ∈ {0, 1}n :(u , v ) ∈ Q(0)},V (0) = {v ∈ {0, 1}n :(u , v ) ∈ Q(0)}, 1 1 1 1 S1 1 1 1 1 S1 U (0) = {u ∈ {0, 1}n :(u , v ) ∈ Q(0)},V (0) = {v ∈ {0, 1}n :(u , v ) ∈ Q(0)} 2 2 2 2 S2 2 2 2 2 S2

denote the domains and ranges of Q(0) and Q(0), respectively. S1 S2 This type of lemma is usually proved by defining a large enough set of “good” keys, and then, for each choice of a good key, lower bounding the probability of observing this transcript, again by lower bounding the number of possible “intermediate” values. A key is usually said to be good if the adversary cannot use the transcript to follow the path of computation of the encryption/decryption of a query up to a contradiction. However, since the S-boxes are used several times in each round, there will not be enough information in the transcript to allow such a naive definition. Therefore, instead of summing over the choice of the key, we will define an extension of the transcript, that will provide the necessary information, and then sum over every possible good extension. We will first define what we mean by an extension of the transcript τ. Then we will define bad extensions and explain the link between good extended transcripts and the ratio p2(QC |QS ) . Finally, we will show that the number of bad extended p1(QC |QS ) transcripts is small enough in Lemma8, and then show that the probability to obtain any good extension in the real world is sufficiently close to the probability to obtain τ the ideal world in Lemma9. We stress that extended transcripts are completely virtual and are not disclosed to the adversary. They are just an artificial intermediate step to lower bound the probability to observe transcript τ in the real world.

Extension of a transcript. We will extend the transcript τ of the attack via 2 a certain randomized process. We begin with choosing a pair of keys (k0, k2) ∈ K uniformly at random. Once these keys have been chosen, some construction queries will become involved in collisions. A colliding query is defined as a construction query (t, x, y) ∈ QC such that one of the following conditions holds:

1. there exist an S-box query (1, u, v) ∈ QS and an integer i ∈ {1, . . . , w} such

that Tk0,t(x)i = u; 2. there exist an S-box query (2, u, v) ∈ QS and an integer i ∈ {1, . . . , w} such that T −1 (y) = v; k2,t i 0 0 0 3. there exist a construction query (t , x , y ) ∈ QC and integers i, j ∈ {1, . . . , w} 0 0 0 0 0 such that (t, x, y, i) 6= (t , x , y , j) and Tk0,t(x)i = Tk0,t (x )j; 0 0 0 4. there exist a construction query (t , x , y ) ∈ QC and integers i, j ∈ {1, . . . , w} 0 0 0 −1 −1 0 such that (t, x, y, i) 6= (t , x , y , j) and T (y) = T 0 (y ) . k2,t i k2,t j 0 We are now going to build a new set QS of S-box evaluations that will play the role of an extension of QS. For each colliding query (t, x, y) ∈ QC , we 0 will add tuples (1,Tk0 (t, x)i, v )1≤i≤w (if (t, x, y) collides at the input of S1) or (2, u0,T −1 (y) ) (if (t, x, y) collides at the output of S ) by lazy sampling k2,t i 1≤i≤w 2 v0 = S (T (x) ) or u0 = S−1(T −1 (y) ), as long as it has not been determined 1 k0,t i 2 k2,t i

18 by any existing query in QS. We finally choose a key k1 uniformly at random. An 0 0 extended transcript of τ will be defined as a tuple τ = (QC , QS, QS, k) where k = (k0, k1, k2). For each collision between a construction query and a primitive query, or between two construction queries, the extended transcript will contain enough information to compute a complete round of the evaluation of the SPN. This will be useful to lower bound the probability to get the transcript τ in the real world.

Definition of Bad Transcript Extensions. Let

Q(1) = {(u, v) ∈ {0, 1}n × {0, 1}n : (1, u, v) ∈ Q ∪ Q0 } S1 S S Q(1) = {(u, v) ∈ {0, 1}n × {0, 1}n : (2, u, v) ∈ Q ∪ Q0 }. S2 S S

In words, Q(1) summarizes each constraint that is forced on S by Q and Q0 . Si i S S Let

U = {u ∈ {0, 1}n : (1, u , v ) ∈ Q(1)},V = {v ∈ {0, 1}n : (1, u , v ) ∈ Q(1)}, 1 1 1 1 S1 1 1 1 1 S1 U = {u ∈ {0, 1}n : (2, u , v ) ∈ Q(1)},V = {v ∈ {0, 1}n : (2, u , v ) ∈ Q(1)} 2 2 2 2 S2 2 2 2 2 S2 be the domains and ranges of Q(1) and Q(1), respectively. We define two quantities S1 S2 characterizing an extended transcript τ 0, namely

def α1 = |{(x, y) ∈ QC : Tk0 (x)i ∈ U1 for some i ∈ {1, . . . , w}}| , def α = {(x, y) ∈ Q : T −1(y) ∈ V for some i ∈ {1, . . . , w}} . 2 C k2 i 2

In words, α1 (resp. α2) is the number of queries (t, x, y) ∈ QC which collide with a query (u , v ) ∈ Q(1) (resp. which collide with a query (u , v ) ∈ Q(1)) in the 1 1 S1 2 2 S2 extended transcript. This corresponds to the number of queries (t, x, y) ∈ QC which collide with either an original query (u , v ) ∈ Q(0) (resp. (u , v ) ∈ Q(0)) 1 1 S1 2 2 S2 0 0 0 or with a query (t , x , y ) ∈ QC at an input of S1 (resp. at the output of S2), once the choice of (k0, k2) has been made. We will also denote

β = |Q(1)| − |Q(0)| = |Q(1)| − p i Si Si Si for i = 1, 2, the number of additional queries included in the extended transcript. We say an extended transcript τ 0 is bad if at least one of the following conditions is fulfilled:

(C-1) there exist (t, x, y) ∈ QC , i, j ∈ {1, . . . , w}, u1 ∈ U1, and v2 ∈ V2 such that T (x) = u and T −1 (y) = v ; k0,t i 1 k2,t j 2 (C-2) there exist (t, x, y) ∈ QC , i, j ∈ {1, . . . , w}, u1 ∈ U1, and u2 ∈ U2 such  ||  11 that Tk0,t(x)i = u1 and Tk1,t S1 (Tk0,t(x)) = u2 ; j

11 || Note that the value S1 (Tk0,t(x)) is well-defined thanks to the additional virtual 0 queries from QS .

19 (C-3) there exist (t, x, y) ∈ QC , i, j ∈ {1, . . . , w}, v1 ∈ V1, and v2 ∈ V2 such that −1 −1  −1
||  −1  Tk ,t(y)i = v2 and Tk ,t S2 Tk ,t(y) = v1; 2 1 2 j 0 0 0 0 0 (C-4) there exist (t, x, y), (t , x , y ) ∈ QC , i, i , j, j ∈ {1, . . . , w} with (t, x, j) 6= 0 0 0 0 0 0 0 0 (t , x , j ), u1, u1 ∈ U1 such that Tk0,t(x)i = u1, Tk0,t (x )i = u1 and  ||   || 0  0 0 Tk1,t S1 (Tk0,t(x)) = Tk1,t S1 (Tk0,t (x )) ; j j0 0 0 0 0 0 (C-5) there exist (t, x, y), (t , x , y ) ∈ QC , i, i , j, j ∈ {1, . . . , w} with (y, j) 6= 0 0 0 −1 −1 0 0 (y , j ), v , v ∈ V such that T (y) = v , T 0 (y ) 0 = v and 2 2 2 k2,t i 2 k2,t i 2 −1  −1
||  −1  −1  −1
||  −1 0  Tk ,t S2 Tk ,t(y) = Tk ,t0 S2 Tk ,t0 (y ) . 1 2 j 1 2 j0 Any extended transcript that is not bad will be called good. Given an original transcript τ, we denote Θgood(τ) (resp. Θbad(τ)) the set of good (resp. bad) extended transcripts of τ and Θ0(τ) the set of all extended transcripts of τ.

From Attainable Transcripts to Good Extended Transcripts. We are now going to justify the usefulness of extended transcripts. For any extended 0 0 transcript τ = (QC , QS, QS, k), let us denote

0 h 0 $ 3 2 0 T 0 i pre(τ ) =Pr (k , S) ← K × Perm(n) :(S ` QS ∪ QS) ∧ (SPk [S] ` QC ) ∧ (k = k) ,

0 h $ 2 T (1) (1) i p(τ ) =Pr S ← Perm(n) : SP [S]k ` QC (S1 ` Q ) ∧ (S2 ` Q ) . S1 S2 Note that one has

h $ 2 i Pr (P,e S) ← Perm] (T , wn) × Perm(n) :(S ` QS) ∧ (Pe ` QC ) 1 ≤ wn n n , (2 )q(2 )p(2 )p

h $ 3 2 T i Pr (k, S) ← K × Perm(n) :(S ` QS) ∧ (SPk [S] ` QC ) X X 1 ≥ p (τ 0) ≥ p(τ 0), re |K|3(2n) (2n) 0 0 p+β1 p+β2 τ ∈Θgood(τ) τ ∈Θgood(τ) which gives 1 p1(QC |QS) ≤ wn , (2 )q X 1 p (Q |Q ) ≥ p(τ 0). 2 C S |K|3(2n − p) (2n − p) 0 β1 β2 τ ∈Θgood(τ) Thus one has wn p2(QC |QS) X (2 )q ≥ p(τ 0) p (Q |Q ) |K|3(2n − p) (2n − p) 1 C S 0 β1 β2 τ ∈Θgood(τ)

wn 0 X 1 ≥ min ((2 )qp(τ )) . τ 0∈Θ (τ) |K|3(2n − p) (2n − p) good 0 β1 β2 τ ∈Θgood(τ)

20 P 1 Note that the weighted sum τ 0∈Θ (τ) 3 n n corresponds exactly good |K| (2 −p)β1 (2 −p)β2 to the probability that a random extended transcript is good when it is sampled as follows:

1. choose keys k0, k2 ∈ K uniformly and independently at random; 2. choose the partial extension of the S-box queries based on the new collisions 0 QS uniformly at random (meaning that each possible u or v is chosen uniformly at random in the set of its authorized values); 3. finally choose k1 uniformly at random, independently from everything else. Thus, the exact probability of observing the extended transcript τ 0 is 1 3 n n , |K| (2 − p)β1 (2 − p)β2 and we have X 1 = Pr [τ 0 ∈ Θ (τ)] . |K|3(2n − p) (2n − p) good 0 β1 β2 τ ∈Θgood(τ)

One finally gets

p2(QC |QS) 0 wn 0 ≥ Pr [τ ∈ Θgood(τ)] · min ((2 )qp(τ )). (6) 0 p1(QC |QS) τ ∈Θgood(τ)

0 Lemma8 and Lemma9 lower bound Pr [τ ∈ Θgood(τ)] (by upper bounding 0 wn 0 0 Pr [τ ∈ Θbad(τ)]) and minτ ∈Θgood(τ)((2 )qp(τ )), respectively. Then combining (6) with Lemma8 and Lemma9 will complete the proof of Lemma7.

Lemma 8. One has

0 2 0 0 0 Pr [τ ∈ Θbad(τ)] ≤ w q(δ p + δwq)(3δ p + 3δwq + 2δ wq).

Proof. We fix any attainable transcript, denoted (Q , Q(0), Q(0)). For any fixed C S1 S2 construction query (t, x, y) ∈ QC , define event

Coll1(t, x, y) ⇔ there exist i ∈ {1, . . . , w} and u1 ∈ U1 such that Tk0,t(x)i = u1.

This event can be broken down into the following two subevents:

– there exist i ∈ {1, . . . , w}, j ∈ {1, . . . , p} such that Tk0,t(x)i = uj, 0 0 0 0 0 0 – there exist (t , x , y ) ∈ QC , i, j ∈ {1, . . . , w} such that (t, x, y, i) 6= (t , x , y , j) 0 0 and Tk0,t(x)i = Tk0,t (x )j. Note that these events only involve queries from the original transcript, which means that the choice of the key is actually independent from these values. By the blockwise uniformity of T , one has

0 2 Pr [k0 ∈ K : Coll1(t, x, y)] ≤ δ wp + δw q. (7)

21 Similarly, let

Coll (t, x, y) ⇔ there exist i ∈ {1, . . . , w} and v ∈ V such that T −1 (y) = v . 2 2 2 k2,t i 2 Then one has 0 2 Pr [k2 ∈ K : Coll2(x, y)] ≤ δ wp + δw q. (8) Also note that one has |Q(1)|, |Q(1)| ≤ p + wq, as additional tuples in Q0 come S1 S2 S from the completion of partial information about a construction query. We now upper bound the probabilities of the five conditions in turn. The sets of attainable transcripts fulfilling condition (C-1), (C-2), (C-3), (C-4), (C-5) will be denoted Θ1, Θ2, Θ3, Θ4, Θ5, respectively.

Condition (C-1). One has

0 X Pr [τ ∈ Θ1] ≤ Pr [Coll1(t, x, y) ∧ Coll2(t, x, y)] .

(t,x,y)∈QC

Since the random choice of k0 and k2 are independent, and by (7) and (8), one has 0 0 2 2 Pr [τ ∈ Θ1] ≤ q(δ wp + δw q) .

Condition (C-2) and (C-3). Fix any query (t, x, y) ∈ QC . Since the random choice of k1 is independent from the queries transcript and from the choice of k0, the probability, over the random choice of k1, that there exist i ∈ {1, . . . , w}  ||  and u2 ∈ U2 such that Tk1,t S1 (Tk0,t(x)) = u2, conditioned on Coll1(t, x, y), i is upper bounded by δ0w(p + wq). Thus, by summing over every construction query and using (7), one has

0 0 0 2 Pr [τ ∈ Θ2] ≤ δ wq(p + wq)(δ wp + δw q). Similarly, one has

0 0 0 2 Pr [τ ∈ Θ3] ≤ δ wq(p + wq)(δ wp + δw q).

Conditions (C-4), and (C-5). Given two distinct pairs (i, (t, x, y)), (i0, (t0, x0, y0)) ∈ 0 0 0 {1, . . . , w} × QC such that (t, x, y) and (t , x , y ) are both colliding queries, let us define event

0 0 0  ||   || 0  0 0 0 Coll(t, x, y, t , x , y )i,i ⇔ Tk1,t S1 (Tk0,t(x)) = Tk1,t S1 (Tk0,t (x )) . i i0 0 0 0 0 Then for any distinct pairs (i, (t, x, y)), (i , (t , x , y )) ∈ {1, . . . , w} × QC , one has

0 0 0 0 0 0 Pr [Coll1(t, x, y) ∧ Coll1(t , x , y ) ∧ Coll(t, x, y, t , x , y )i,i0 ] 0 0 0 0 0 0 = Pr [Coll(t, x, y, t , x , y )i,i0 | Coll1(t, x, y) ∧ Coll1(t , x , y )] 0 0 0 × Pr [Coll1(t , x , y ) | Coll1(t, x, y)] 0 2 × Pr [Coll1(t, x, y)] ≤ δ · 1 · (δ wp + δw q),

22 where, for the last inequality, we used the (δ, δ0)-blockwise uniformity of T and 0 0 0 the fact that the event Coll1(t, x, y) ∧ Coll1(t , x , y ) only depends on the choice 0 0 0 of k0 whereas Coll(t, x, y, t , x , y )i,i0 involves the choice of k1. Thus, by summing over every such pair, one obtains

0 2 2 0 2 Pr [τ ∈ Θ4] ≤ δw q (δ wp + δw q).

Similarly, one has

0 2 2 0 2 Pr [τ ∈ Θ5] ≤ δw q (δ wp + δw q).

The lemma follows by taking a union bound over all the conditions. ut

Our next step is to study good extended transcripts.

Lemma 9. For any good extended transcript τ 0, one has

q2 q(2wp + 6w2q)2 (2wn) p(τ 0) ≥ 1 − − . q 2wn 22n

0 0 Proof. Fix any good extended transcript τ = (QC , QS, QS, (k0, k1, k2)). Let us denote p = |Q(1)| and p = |Q(1)|. 1 S1 2 S2 0 wn Our goal is then to prove that p(τ ) is close enough to 1/(2 )q. In order to do so, we are going to group the construction queries according to the type of collision they are involved in:

QU1 = {(t, x, y) ∈ QC : Tk0,t(x)i ∈ U1 for i = 1, . . . , w} Q = {(t, x, y) ∈ Q : T −1 (y) ∈ V for i = 1, . . . , w} V2 C k2,t i 2

Q0 = QC \ (QU1 ∪ QV2 ) .

0 Note that, thanks to the additional queries from QS, there is an equivalence between the events “Tk0,t(x)i ∈ U1 for each i = 1, . . . , w” and “there exists i ∈ {1, . . . , w} such that Tk0,t(x)i ∈ U1”. Thus, one has by definition |QU1 | = α1.

Similarly, one has |QV2 | = α2. Also note that these sets form a partition of QC :

– Q0 ∩ QU1 = ∅ by definition;

– Q0 ∩ QV2 = ∅ by definition; 0 – QU1 ∩ QV2 = ∅ since otherwise τ would satisfy (C-1).

T If we denote respectively EU1 , EV2 and E0 the event SP [S]k ` QU1 , QV2 , Q0, the T event SP [S]k ` QC is equivalent to EU1 ∧ EV2 ∧ E0. Note that, by definition of QU1 , each (t, x, y) ∈ QU1 is such that Tk0,t(x)i ∈ U1 for each i = 1, . . . , w; this means that the output of S is already fixed by Q(1) and E actually only 1 S1 U1

23 involves S2. A similar reasoning can be made for EV2 . Thus we have

0 h (1) (1)i p(τ ) = Pr EU ∧ EV ∧ E0 S1 ` Q ∧ S2 ` Q 1 2 S1 S2 h (1) (1)i = Pr EU ∧ EV S1 ` Q ∧ S2 ` Q 1 2 S1 S2 h (1) (1)i × Pr E0 EU ∧ EV ∧ S1 ` Q ∧ S2 ` Q 1 2 S1 S2 h (1)i h (1)i = Pr EU S2 ` Q · Pr EV S1 ` Q 1 S2 2 S1 h (1) (1)i × Pr E0 EU ∧ EV ∧ S1 ` Q ∧ S2 ` Q , (9) 1 2 S1 S2

h (1)i h (1)i where Pr EU S2 ` Q (resp. Pr EV S1 ` Q ) is the probability, over the 1 S2 2 S1 random choice of permutation S2 (resp. permutation S1), that S2 (resp. S1) is compatible with the additional equations implied by QU1 (resp. by QV2 ), conditioned on the event S ` Q(1) (resp. S ` Q(1)). 2 S2 1 S1 h (1)i h (1)i In order to evaluate Pr EU S2 ` Q and Pr EV S1 ` Q , we first note 1 S2 2 S1 that, since we condition on the event S ` Q(1), S is already fixed on p values. 2 S2 2 2 Second, remark that this event is actually equivalent to the following equations:

  ||   −1 S2 Tk1,t S1 (Tk0,t(x)) = Tk ,t(y)i i 2

 ||  for every (t, x, y) ∈ QU1 and i ∈ {1, . . . , w}. All the values Tk1,t S1 (Tk0,t(x)) i are actually pairwise distinct and outside U2 since otherwise (C-2) or (C-4) would be satisfied. Similarly, the values T −1 (y) are pairwise distinct and outside V k2,t i 2 since otherwise (C-1) would be satisfied. Indeed, if a collision between two values T −1 (y) had occured, then these values would also appear in V . Hence the event k2,t i 2

EU1 is actually equivalent to wα1 new and distinct equations on S2, so that

h (1)i 1 Pr EU S2 ` Q = . (10) 1 S2 n (2 − p2)wα1 By a similar reasoning, one has

h (1)i 1 Pr EV S1 ` Q = . (11) 2 S1 n (2 − p1)wα2

h (1) (1)i The next step is to lower bound Pr E0 EU ∧ EV ∧ S1 ` Q ∧ S2 ` Q . 1 2 S1 S2 Conditioned on E ∧ E ∧ S ` Q(1) ∧ S ` Q(1), S and S are fixed on U1 V2 1 S1 2 S2 1 2 0 0 respectively p1 + wα2 and p2 + wα1 values. Let U1 (resp. U2) be the set of 0 0 values on which S1 (resp. S2) is already fixed and V1 = {S1(u): u ∈ U1} (resp. 0 0 V2 = {S2(u): u ∈ U2}). Let also q0 = |Q0|. For clarity, we denote

Q0 = {(t1, x1, y1),..., (tq0 , xq0 , yq0 )},

24 using an arbitrary ordering of the queries.

Our goal is now to compute a lower bound on the number of possible “intermediate values” such that the event E0 is equivalent to new and dis-

tinct equations on S1 and S2. First note that the values Tk0,t(x)i for each 0 (t, x, y) ∈ Q0, i ∈ {1, . . . , w} are pairwise distinct and outside U1. Indeed, if this were not the case, then at least one query in Q0 would be a colliding query. By definition of our security experiment, this means that this query would either be

in EU1 or EV2 , depending on the type of collision it is involved in. Similarly, the values T −1 (y) for each (t, x, y) ∈ Q , i ∈ {1, . . . , w} are pairwise distinct and k2,t i 0 0 outside V2 .

Let N0 be the number of tuples of distinct values (v1,i,j)1≤i≤q0,1≤j≤w in n 0 w {0, 1} \V1 such that the values (Tk1,ti (||k=1v1,i,k)j)1≤i≤q0,1≤j≤w are also pairwise 0 n 0 distinct and outside U2. Let i ∈ {1, . . . , q0}. There are exactly (2 − |V1 | − w(i − n 0 1))w possible tuples of distinct values (v1,i,j)1≤j≤w in {0, 1} \V1 that will also be different from the previous values v1,i,j for i < q0 and j ∈ {1, . . . , w}. Similarly, n 0 there are exactly (2 − |U2| − w(i − 1))w possible tuples of distinct values for w n 0 (Tk1,ti (||k=1v1,i,k))1≤j≤w in {0, 1} \U2 that will also be different from the previous w values Tk1,ti (||k=1v1,i,k) for i < q0 and j ∈ {1, . . . , w}. This removes at most wn n 0 w 2 − (2 − |U2| − w(i − 1))w tuples of values for (Tk1,ti (||k=1v1,i,k))1≤j≤w. Since wn n 0 Tk1,ti is a permutation, we have to remove at most 2 − (2 − |U2| − w(i − 1))w possible tuples of values for (v1,i,j)1≤j≤w. Thus

q0 Y n 0 n 0 wn N0 ≥ ((2 − |V1 | − w(i − 1))w + (2 − |U2| − w(i − 1))w − 2 ) . (12) i=1

For any tuple of values (v1,i,j) fulfilling the previous conditions, then, conditioned

on S1 satisfying S1(Tk0,ti (xi))j = v1,i,j, the event E0 is equivalent to wq0 distinct and new equations on S2. Hence, it follows that

h (1) (1)i Pr E0 EU ∧ EV ∧ S1 ` Q ∧ S2 ` Q 1 2 S1 S2 N0 ≥ n n . (13) (2 − p1 − wα2)wq0 (2 − p2 − wα1)wq0

Combining (9), (10), (11), (12)(13), we obtain

25 q0−1  n  wn Q (2 − p1 − w(α2 + i))w (2 )q n wn wn 0 i=0 +(2 − p2 − w(α1 + i))w − 2 (2 )qp(τ ) ≥ n n (2 − p1)wq0+wα2 (2 − p2)wq0+wα1 (2wn) = q q0wn n n 2 (2 − p1)wα2 (2 − p2)wα1  n  wn (2 − p1 − w(α2 + i))w q0−1 2 n wn Y +(2 − p2 − w(α1 + i))w − 2 × (2n − p − wα − wi) (2n − p − wα − wi) i=0 1 2 w 2 1 w wn q0−1 (2 )q Y ≥ · ∆i 2q0wn(2n − p ) (2n − p ) 1 wα2 2 wα1 i=0 where  2wn   2wn  ∆i = 1 − n − 1 n − 1 (2 − p2 − wα1 − wi)w (2 − p1 − wα2 − wi)w for i = 0, . . . , q0 − 1. We also have α1 ≤ q and p2 ≤ p + wq, which gives 2wn  2n w  p + 3wq w n ≤ n ≤ 1 + n . (2 − p2 − wα1 − wi)w 2 − p − 3wq 2 − p − 3wq Then, since wp + 3w2q < 2n/2, we can apply Lemma1 and we get 2wn wp + 3w2q 2wp + 6w2q n ≤ 1 + n 2 ≤ 1 + n . (2 − p2 − wα1 − wi)w 2 − wp − 3w q 2 Similarly, one has 2wn 2wp + 6w2q n ≤ 1 + n . (2 − p1 − wα2 − wi)w 2 Thus one has 2wp + 6w2q 2 ∆ ≥ 1 − . i 2n Moreover, one has (2wn) (2wn − q)q  q q q2 q ≥ ≥ 1 − ≥ 1 − . q0wn n n qwn wn wn 2 (2 − p1)wα2 (2 − p2)wα1 2 2 2 Finally, we get

!q0  q2  2wp + 6w2q 2 (2wn) p(τ 0) ≥ 1 − 1 − q 2wn 2n  q2   q(2wp + 6w2q)2  ≥ 1 − 1 − 2wn 22n q2 q(2wp + 6w2q)2 ≥ 1 − − . ut 2wn 22n

26 4.3 Asymptotically Optimal Security of SPNs In this section, we will prove that if T is a super blockwise tweakable universal permutation, then the security of SPT converges to 2n (in terms of the threshold number of queries) as the number of rounds r increases. Theorem 4. For an even integer r, let SPT be an r-round substitution-permutation network based on a (δ, δ0)-super blockwise tweakable universal permutation T . Then one has r mu √ 0 2 0 2
4 AdvSPT (p, q) ≤ 4 q 2wpδ + 2w q(δ + δ) + w δ . T rn Hence, assuming δ, δ0 ' 2−n and p = q, an r-round SP is secure up to 2 r+2 queries. Proof of Theorem4. We assume that r = 2s for a positive integer s. Let T SP [S] denote a variant of SPT [S] without the last permutation layer. Then one has −1  T −1  T SPT [S] = SP [S(2)] ◦ T ◦ SP [S(1)]

(1) (2) −1 −1 for S = (S1,...,Ss) and S = (S2s ,...,Ss+1). Our proof strategy is to first prove NCPA-security of SP in the multi-user setting and lift it to CCA-security by doubling the number of rounds. Suppose that a distinguisher D makes p primitive queries to each of the underlying S-boxes and makes q construction queries in the multi-user setting, obtaining an attainable transcript τ = (QC , QS). We can partition QC and QS as follows.

QC = QC1 ∪ · · · ∪ QC` ,

QS = QS1 ∪ · · · ∪ QSs ∪ QSs+1 ∪ · · · ∪ QS2s , where we will write (1) QS = QS1 ∪ · · · ∪ QSs , (2) QS = QSs+1 ∪ · · · ∪ QS2s .

Throughout the proof, we will write QCj = (tj,i, xj,i, yj,i)1≤i≤qj for j = 1, . . . , `. So qj denotes the number of queries made to the j-th construction oracle Cj, and (tj,i, xj,i, yj,i) represents the evaluation obtained by the i-th query to Cj. We will also write t = (tj)1≤j≤`, x = (xj)1≤j≤`, y = (yj)1≤j≤`, where

tj = (tj,1, . . . , tj,qj ), xj = (xj,1, . . . , xj,qj ), yj = (yj,1, . . . , yj,qj ), for j = 1, . . . , `. Without loss of generality, we can assume that the indices (j, i) have been grouped by their tweaks tj,i; suppose that tj consists of d different ∗ ∗ tweaks, t1, . . . , td ∈ T . Then by dropping j for simplicity (when it will be clear from the context), we can write

∗ ∗ xj = (x1,..., xd),

27 ∗ ∗ ∗ ∗ 0 so that xi = (xi,1, . . . , x 0 ) corresponds to ti for i = 1, . . . , d, where qi is the i,qi ∗ 0 0 multiplicity of ti in tj (satisfying q1 + ... + qd = qβ). Let

 n qj 0 0 0 Ωtj = (u1, . . . , uqj ) ∈ ({0, 1} ) : ∀i 6= i , (tj,i, ui) 6= (tj,i , ui ) ,

Ωt = Ωt1 × ... × Ωt` .

With these notations, we define probability distributions µ1 and µ2 on Ωt; for each z = (z1,..., z`) ∈ Ωt,

  def = $ s $ s T (1) µ1(z) Pr k1,..., k` ← K , S ← Perm(n) : ∀j, SPkj [S] ` (tj,i, xj,i, zj,i)1≤i≤qj |S ` QS ,   def = $ s $ s T (2) µ2(z) Pr k1,..., k` ← K , S ← Perm(n) : ∀j, SPkj [S] ` (tj,i, yj,i, zj,i)1≤i≤qj |S ` QS ,

where we write zj = (zj,i)1≤i≤qj for j = 1, . . . , `. Using the coupling technique, we can upper bound the statistical distance between µc and the uniform probability distribution for c = 1, 2. The proof of the following lemma can be found in [CL18].

Lemma 10. For c = 1, 2, let µc be the probability distribution defined as above, and let ν be the uniform probability distribution on Ωt. Then for c = 1, 2, one has kµc − νk ≤ ε, where

def s ε = ε(p, q) = q 2wpδ0 + 2w2q(δ0 + δ) + w2δ
.

By Lemma√ 6 and Lemma 10, we have a subset Z1 ⊂ Ωt such that |Z1| ≥ (1 − ε)|Ωt| and √ √ 1 − ε µ1(z) ≥ (1 − ε)ν(z) = |Ωt|

for every√ z ∈ Z1. Similarly, we also have a subset Z2 ⊂ Ωt such that |Z2| ≥ (1 − ε)|Ωt| and √ √ 1 − ε µ2(z) ≥ (1 − ε)ν(z) = |Ωt|

` for every z ∈ Z2. For a fixed key (k1, . . . , k`) ∈ K , let

Z0 = {(T −1 (z ),...,T −1 (z )) : (z ,..., z ) ∈ Z }, 2 k1,t1 1 ,k`,t` ` 1 ` 2

28 0 and let Z = Z1 ∩ Z2. Then it follows that   T p2(QC |QS) = Pr ∀j, SPk [S] ` QCj |S ` QS j   1 X T (1) ≥ Pr ∀j, SPk [S] ` (tj, xj, zj) |S ` Q |K|` j S k1,...,k`∈K z1,...,z`∈Z

 −1  T (2) × Pr ∀j, SPk [S] ` (tj, yj,Tkj ,tj (zj)) |S ` Q j S √ √ 1 − ε2 √ ≥ (1 − 2 ε)|Ωt| · ≥ (1 − 4 ε)p1(QC |QS) |Ωt| √ since |Z| ≥ (1 − 2 ε)|Ωt|. By Lemma3, we complete the proof of Theorem4.

Acknowledgments

The work of Aishwarya Thiruvengadam was done while at the University of Maryland. Benoît Cogliati was partially supported by the European Union’s H2020 Programme under grant agreement number ICT-644209. The work of Yevgeniy Dodis was done in part while visiting the University of Maryland, and was supported by gifts from VMware Labs and Google, as well as NSF grants 1619158, 1319051, and 1314568. The work of Jonathan Katz and Aishwarya Thiruvengadam was performed under financial assistance award 70NANB15H328 from the U.S. Department of Commerce, National Institute of Standards and Technology. Jooyoung Lee was supported by a National Research Foundation of Korea (NRF) grant funded by the Korean government (Ministry of Science and ICT), No. NRF-2017R1E1A1A03070248.

References

[BBK14] Alex Biryukov, Charles Bouillaguet, and Dmitry Khovratovich. Crypto- graphic schemes based on the ASASA structure: Black-box, white-box, and public-key (extended abstract). In Advances in Cryptology—Asiacrypt 2014, Part I, volume 8873 of LNCS, pages 63–84. Springer, 2014. [BD99] D. Bleichenbacher and A. Desai. A construction of a super-pseudorandom cipher, February 1999. Unpublished manuscript. [BDPA09] Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles Van Assche. Kec- cak Sponge Function Family Main Document. Submission to NIST (Round 2), 2009. Available at http://keccak.noekeon.org/Keccak-main-2.0. pdf. [BK] Alex Biryukov and Dmitry Khovratovich. Decomposition attack on SASASASAS. Available at http://eprint.iacr.org/2015/646. [BKL+17] Daniel J. Bernstein, Stefan Kölbl, Stefan Lucks, Pedro Maat Costa Mas- solino, Florian Mendel, Kashif Nawaz, Tobias Schneider, Peter Schwabe,

29 François-Xavier Standaert, Yusuke Todo, and Benoît Viguier. GIMLI: a cross-platform permutation. In Wieland Fischer and Naofumi Homma, editors, Cryptographic Hardware and Embedded Systems - CHES 2017, volume 10529 of LNCS. Springer, 2017. To appear. Also available at http://eprint.iacr.org/2017/630. [BS10] Alex Biryukov and Adi Shamir. Structural cryptanalysis of SASAS. Journal of Cryptology, 23(4):505–518, 2010. [CDMS10] Jean-Sébastien Coron, Yevgeniy Dodis, Avradip Mandal, and Yannick Seurin. A domain extender for the ideal cipher. In 7th Theory of Cryp- tography Conference—TCC 2010, volume 5978 of LNCS, pages 273–289. Springer, 2010. [CHK+16] Jean-Sébastien Coron, Thomas Holenstein, Robin Künzler, Jacques Patarin, Yannick Seurin, and Stefano Tessaro. How to Build an Ideal Cipher: The Indifferentiability of the Feistel Construction. J. Cryptology, 29(1):61–114, 2016. [CL18] Benoît Cogliati, and Jooyoung Lee. Wide Tweakable Block Ciphers Based on Substitution-Permutation Networks: Security Beyond the Birthday Bound. IACR Cryptology ePrint Archive, Report 2018/488, 2018. Available at http://eprint.iacr.org/2018/488. [CLL+14] Shan Chen, Rodolphe Lampe, Jooyoung Lee, Yannick Seurin, and John P. Steinberger. Minimizing the Two-Round Even-Mansour Cipher. In Juan A. Garay and Rosario Gennaro, editors, Advances in Cryptology - CRYPTO 2014 (Proceedings, Part I), volume 8616 of LNCS, pages 39–56. Springer, 2014. [CLS15] Benoît Cogliati, Rodolphe Lampe, and Yannick Seurin. Tweaking Even- Mansour Ciphers. In Rosario Gennaro and Matthew Robshaw, editors, Advances in Cryptology - CRYPTO 2015 (Proceedings, Part I), volume 9215 of LNCS, pages 189–208. Springer, 2015. [CS06] Debrup Chakraborty and Palash Sarkar. A New Mode of Encryption Providing a Tweakable Strong Pseudo-random Permutation. In Matthew Robshaw, editor, Fast Software Encryption - FSE 2006, volume 4047 of LNCS, pages 293–309. Springer, 2006. [CS14] Shan Chen and John Steinberger. Tight Security Bounds for Key- Alternating Ciphers. In Phong Q. Nguyen and Elisabeth Oswald, editors, Advances in Cryptology - EUROCRYPT 2014, volume 8441 of LNCS, pages 327–350. Springer, 2014. [Dae95] Joan Daemen. Cipher and Hash Function Design Strategies Based on Linear and Differential Cryptanalysis. PhD thesis, Katholieke Universiteit Leuven, 1995. [DDKL] Itai Dinur, Orr Dunkelman, Thorsten Kranz, and Gregor Leander. Decomposing the ASASA block cipher construction. Available at http://eprint.iacr.org/2015/507. [DKS+17] Yevgeniy Dodis, Jonathan Katz, John P. Steinberger, Aishwarya Thiru- vengadam, and Zhe Zhang. Provable Security of Substitution-Permutation Networks. IACR Cryptology ePrint Archive, Report 2017/016, 2017. Avail- able at http://eprint.iacr.org/2017/016. [DSSL16] Yevgeniy Dodis, Martijn Stam, John P. Steinberger, and Tianren Liu. In- differentiability of confusion-diffusion networks. In Advances in Cryptology— Eurocrypt 2016, Part II, volume 9666 of LNCS, pages 679–704. Springer, 2016.

30 [EM97] Shimon Even and Yishay Mansour. A Construction of a Cipher from a Single Pseudorandom Permutation. J. Cryptology, 10(3):151–162, 1997. [Fei73] Horst Feistel. Cryptography and computer privacy. Scientific American, 228(5):15–23, 1973. [GJMN16] Robert Granger, Philipp Jovanovic, Bart Mennink, and Samuel Neves. Improved Masking for Tweakable Blockciphers with Applications to Au- thenticated Encryption. In Marc Fischlin and Jean-Sebastien Coron, editors, Advances in Cryptology - Eurocrypt 2016 (Proceedings, Part I), volume 9665 of LNCS, pages 263–293. Springer, 2016. [Hal07] Shai Halevi. Invertible Universal Hashing and the TET Encryption Mode. In Alfred Menezes, editor, Advances in Cryptology - Crypto 2007, volume 4622 of LNCS, pages 412–429. Springer, 2007. [HKT11] Thomas Holenstein, Robin Künzler, and Stefano Tessaro. The Equivalence of the Random Oracle Model and the Ideal Cipher Model, Revisited. In Lance Fortnow and Salil P. Vadhan, editors, Symposium on Theory of Computing - STOC 2011, pages 89–98. ACM, 2011. [HR03] Shai Halevi and Phillip Rogaway. A tweakable enciphering mode. In Advances in Cryptology—Crypto 2003, volume 2729 of LNCS, pages 482– 499. Springer, 2003. [HR04] Shai Halevi and Phillip Rogaway. A parallelizable enciphering mode. In Cryptographers’ Track—RSA 2004, volume 2964 of LNCS, pages 292–304. Springer, 2004. [HR10] Viet Tung Hoang and Phillip Rogaway. On Generalized Feistel Networks. In Tal Rabin, editor, Advances in Cryptology - CRYPTO 2010, volume 6223 of LNCS, pages 613–630. Springer, 2010. [HT16] Viet Tung Hoang and Stefano Tessaro. Key-Alternating Ciphers and Key- Length Extension: Exact Bounds and Multi-user Security. In Matthew Robshaw and Jonathan Katz, editors, Advances in Cryptology - CRYPTO 2016 (Proceedings, Part I), volume 9814 of LNCS, pages 3–32. Springer, 2016. [IK00] Tetsu Iwata and Kaoru Kurosawa. On the pseudorandomness of the AES finalists—RC6 and Serpent. In Fast Software Encryption—FSE 2000, volume 1978 of LNCS, pages 231–243. Springer, 2000. [Jou03] Antoine Joux. Cryptanalysis of the EMD mode of operation. In Advances in Cryptology—Eurocrypt 2003, volume 2656 of LNCS, pages 1–16. Springer, 2003. [KL15] J. Katz and Y. Lindell. Introduction to Modern Cryptography, 2nd edition. Chapman & Hall/CRC Press, 2015. [LPS12] Rodolphe Lampe, Jacques Patarin, and Yannick Seurin. An Asymptotically Tight Security Analysis of the Iterated Even-Mansour Cipher. In Xiaoyun Wang and Kazue Sako, editors, Advances in Cryptology - ASIACRYPT 2012, volume 7658 of LNCS, pages 278–295. Springer, 2012. [LR88] Michael Luby and Charles Rackoff. How to Construct Pseudorandom Permutations from Pseudorandom Functions. SIAM Journal on Computing, 17(2):373–386, 1988. [LRW11] Moses Liskov, Ronald L. Rivest, and David A. Wagner. Tweakable block ciphers. J. Cryptology, 24(3):588–613, 2011. [Men16] Bart Mennink. XPX: Generalized Tweakable Even-Mansour with Improved Security Guarantees. In Matthew Robshaw and Jonathan Katz, editors, Advances in Cryptology - Crypto 2016 (Proceedings, Part I), volume 9814 of LNCS, pages 64–94. Springer, 2016.

31 [MF07] David A. McGrew and Scott R. Fluhrer. The security of the extended codebook (XCB) mode of operation. In 14th Annual Intl. Workshop on Selected Areas in Cryptography (SAC), volume 4876 of LNCS, pages 311–327. Springer, 2007. [MRH04] Ueli M. Maurer, Renato Renner, and Clemens Holenstein. Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology. In 1st Theory of Cryptography Conference—TCC 2004, volume 2951 of LNCS, pages 21–39. Springer, 2004. [MRS09] Ben Morris, Phillip Rogaway, and Till Stegers. How to Encipher Messages on a Small Domain. In Shai Halevi, editor, Advances in Cryptology - CRYPTO 2009, volume 5677 of LNCS, pages 286–302. Springer, 2009. [MV15] Eric Miles and Emanuele Viola. Substitution-permutation networks, pseu- dorandom functions, and natural proofs. J. ACM, 62(6):46, 2015. [NR99] Moni Naor and Omer Reingold. On the construction of pseudorandom permutations: Luby-Rackoff revisited. Journal of Cryptology, 12(1):29–66, 1999. [Pat03] Jacques Patarin. Luby-Rackoff: 7 Rounds Are Enough for 2n(1−) Security. In Dan Boneh, editor, Advances in Cryptology - CRYPTO 2003, volume 2729 of LNCS, pages 513–529. Springer, 2003. [Pat04] Jacques Patarin. Security of Random Feistel Schemes with 5 or More Rounds. In Matthew K. Franklin, editor, Advances in Cryptology - CRYPTO 2004, volume 3152 of LNCS, pages 106–122. Springer, 2004. [Pat08] Jacques Patarin. The “Coefficients H” Technique. In Roberto Maria Avanzi, Liam Keliher, and Francesco Sica, editors, Selected Areas in Cryptography - SAC 2008, volume 5381 of LNCS, pages 328–345. Springer, 2008. [Pat10] Jacques Patarin. Security of Balanced and Unbalanced Feistel Schemes with Linear Non Equalities. IACR Cryptology ePrint Archive, Report 2010/293, 2010. Available at http://eprint.iacr.org/2010/293. [Sha49] Claude Shannon. Communication Theory of Secrecy Systems. Bell System Technical Journal, 28(4):656–715, 1949. [Tes14] Stefano Tessaro. Optimally Secure Block Ciphers from Ideal Primitives. In Tetsu Iwata and Jung Hee Cheon, editors, Advances in Cryptology - ASIACRYPT 2014, volume 9453 of LNCS, pages 437–462. Springer, 2014. [Wag99] David Wagner. The boomerang attack. In Lars R. Knudsen, editor, Fast Software Encryption—FSE ’99, volume 1636 of LNCS, pages 156–170. Springer, March 1999.

32